| 引用本文: | 陈曙晖,苏金树.基于内容分析的协议识别研究.[J].国防科技大学学报,2008,30(4):82-87.[点击复制] |
| CHEN Shuhui,SU Jinshu.Protocol Identification Research Based on Content Analysis[J].Journal of National University of Defense Technology,2008,30(4):82-87[点击复制] |
|
| |
|
|
| 本文已被:浏览 7042次 下载 5986次 |
| 基于内容分析的协议识别研究 |
| 陈曙晖, 苏金树 |
|
(国防科技大学 计算机学院,湖南 长沙 410073)
|
| 摘要: |
| 为解决多模式同时匹配的协议识别性能问题,提出了一种多模式组合有限状态机;以Thompson算法为基础,提出了一种压缩ε的NFA构造算法,该算法通过减少ε边及其对应状态,有效提高在协议模式编译时,NFA转换成DFA及DFA最小化过程的性能;基于上述理论与算法实现了一种One-Pass的组合多模式协议识别系统。实验表明:结合上述技术实现的系统,编译性能比标准DFA构造过程提高了7倍以上,匹配性能比L7-Filter提高了近20倍。 |
| 关键词: 网络安全 协议识别 模式匹配 正则表达式 |
| DOI: |
| 投稿日期:2008-02-10 |
| 基金项目:国家自然科学基金资助项目(90604006);国家部委资助项目 |
|
| Protocol Identification Research Based on Content Analysis |
| CHEN Shuhui, SU Jinshu |
|
(College of Computer, National Univ. of Defense Technology, Changsha 410073, China)
|
| Abstract: |
| To solve the performance problem in Regular Expression matching of Protocol Identification, this paper introduces a Multi-pattern FSM (MPFSM), which can use one FSM to match several Regular Expressions. Based on Thompson algorithm, an Epsilon Compressed NFA Construction Algorithm is also put forward and implemented. This algorithm enhances the performance of conversion from NFA to DFA by decreasing the epsilon edges and the corresponding states. A One-pass Multiple-pattern protocol identification system is also implemented using the Multi-pattern FSM and corresponding algorithms. Experiments based on actual traffic are employed to show that the compile speed would be 7 times faster than the usual transfer process, and the Matching speed would be 20 times faster than the L7-Filter. |
| Keywords: network security protocol identification pattern matching regular expression |
|
|
